TikTok Fined $600 Million for GDPR Breach Over Data Transfers to China

In a landmark decision, TikTok has been ordered by an Irish court to pay a €530 million fine, approximately $600 million, for violating the European Union’s General Data Protection Regulation (GDPR). The penalty stems from TikTok’s transfer of European users’ data to servers located in China, which the court found to be non-compliant with GDPR standards.

The Irish Data Protection Commission (DPC) highlighted that TikTok could not guarantee that data transferred to China would be protected to the same standard as within the EU. The court specifically pointed to China’s anti-terrorism and counterespionage laws, which potentially allow Chinese authorities access to European user data, raising significant privacy and security concerns.

The fine is split into two parts: €485 million for the unlawful data transfers and €45 million for TikTok’s privacy policy inadequately explaining these transfers. Although TikTok updated its privacy policy in 2022 to meet compliance, the court ruled that this update came too late to mitigate the breach.

TikTok has committed to investing €12 billion in European data centers to enhance data sovereignty, but this investment did not influence the court’s decision. The company has six months to align its data processing practices with GDPR requirements, with the possibility of appealing the ruling.

During the investigation, TikTok maintained that user data was only remotely accessed from China and not stored there. However, the company later acknowledged that a limited amount of European user data had been stored on Chinese servers, which has since been deleted. This admission has prompted warnings from the DPC about potential further regulatory actions.

This fine ranks as the third-largest GDPR penalty to date, following those imposed on Meta and Amazon. It follows a previous €367 million fine against TikTok in 2023 related to the processing of children’s data. The ruling underscores the increasing regulatory scrutiny on how global tech companies handle user data, especially concerning cross-border transfers and compliance with stringent EU privacy laws.

Beyond Europe, TikTok’s operations face uncertainty in the United States, where the app is banned over national security concerns related to data control by Chinese authorities. The company must find a US buyer to continue operating there, with ongoing negotiations delayed by geopolitical tensions.

Broader Implications for Data Privacy and Compliance

This ruling highlights the challenges global tech companies face in balancing data flows across jurisdictions with varying privacy regulations. It signals a strong enforcement stance by European regulators to protect user data sovereignty and privacy rights. Companies must rigorously assess their data transfer mechanisms and privacy policies to avoid similar penalties.

For businesses operating internationally, this case serves as a critical reminder to prioritize transparent data governance, invest in local data infrastructure, and maintain compliance with evolving data protection laws. The financial and reputational risks of non-compliance are substantial, making proactive data privacy strategies essential.